Cyber Security "Vulnerability Management" Service and Service Offering
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2023 10:07 PM
Hi all, I am very interested in your views about modelling out a cyber security service and service offering for vulnerability management. I'm a bit of a fan of using the Technology Business Management (TBM) standard as a starting point.
TBM has a service called Threat & Vulnerability Management with the following description: Threat and vulnerability management services ensures an organizations applications and infrastructure vulnerabilities are proactively identified, classified and corrected to ensure they are not exploited by unauthorized individuals or parties.
I'm reasonably comfortable with that description of a service but keep going back and forth about what I might have a corresponding offering. One of my gripes with the CSDM is the strict distinction between offering and service. It's very good for mature organizations but not so much for those early in their journey.
In any case, I could see an option where the offerings are framed around a flavour of vulnerability management (for example, application vulnerability monitoring, infrastructure vulnerability monitoring); the vulnerability management systems linked to application services (for example, Microsoft Defender Vulnerability Management, Rapid7); or, perhaps the 'tier' or 'level' of vulnerability management (for example, 24x7 eyes on glass; 9x5, etc.).
Thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 12:27 AM
Great topic! I completely agree that TBM’s Threat & Vulnerability Management service provides a solid foundation, but defining a clear service offering can be tricky, especially for organizations early in their cybersecurity maturity journey.
Your idea of structuring offerings based on flavors of vulnerability management makes a lot of sense. Breaking it down into application vs. infrastructure vulnerability monitoring can help align offerings with different business needs. Additionally, linking vulnerability management systems to specific application services (e.g., Microsoft Defender, Rapid7) is a practical way to categorize services.
The idea of tiered service levels (e.g., 24x7 monitoring vs. business hours support) is also valuable, as it provides flexibility for organizations with varying risk tolerances and budgets. You might also consider a risk-based approach, where offerings are tiered based on the criticality of assets being protected rather than just service hours.
Would love to hear how you see these approaches fitting into the TBM framework and whether a hybrid model might be an option for flexibility. Looking forward to your thoughts!
https://www.devitpl.com/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-20-2025 07:28 AM
Structuring Vulnerability Management as a service makes sense if it aligns with how your organization handles security. I've seen teams define it as both a service and a capability, depending on needs.